Salt Typhoon — the name Microsoft assigned to a Chinese state-sponsored advanced persistent threat group linked to China's Ministry of State Security — is not a typical cyberattack story. It is not a ransomware group chasing a payday. It is not an opportunistic criminal operation exploiting an unpatched server. It is a sustained, strategic intelligence operation that penetrated the foundational communications infrastructure of the United States and remained undetected for years.

Understanding Salt Typhoon requires understanding not just what happened but why the pattern of targeting reveals something significant about Chinese strategic intent — and why the structural vulnerabilities it exploited remain largely unaddressed.

9+
major US telecom carriers confirmed breached
80
countries targeted by the campaign globally
3 years
minimum dwell time in at least one carrier network

What actually happened

The campaign began at least as early as 2021, though some indicators suggest earlier activity. Salt Typhoon gained initial access to telecommunications infrastructure primarily by exploiting known vulnerabilities in network equipment — Cisco IOS XE devices were a documented entry point, with two specific CVEs exploited against more than 1,000 Cisco devices globally. Critically, patches for some of these vulnerabilities had been available for years. Senate testimony revealed that investigators found router vulnerabilities with patches that had been available for seven years and never applied.

Once inside carrier networks, the group demonstrated patience and sophistication that distinguishes nation-state operations from criminal actors. Rather than moving quickly and noisily toward a specific objective, Salt Typhoon established persistent access, mapped the network architecture, and quietly worked toward the systems that held the most intelligence value — the lawful intercept infrastructure.

The Communications Assistance for Law Enforcement Act of 1994 — CALEA — requires US telecommunications companies to build court-authorized wiretapping capabilities into their networks. These systems, mandated by law for law enforcement use, became Salt Typhoon's most valuable target. By compromising the CALEA infrastructure, the attackers gained access to the list of individuals being wiretapped by US law enforcement and intelligence agencies.

"Salt Typhoon obtained what may be the most valuable counterintelligence asset a foreign power could acquire — a roadmap of which Chinese intelligence assets the US had identified and was monitoring. That is not data theft. That is a strategic intelligence coup."

The timeline of a sustained operation

SALT TYPHOON — KEY EVENTS
2021
Initial access establishedSalt Typhoon begins penetrating US telecom infrastructure. Exploiting known vulnerabilities in network edge devices. Establishes persistence. Remains undetected.
Mar 2024
Supply chain and data exfiltration phaseCoordinated attacks target telecom supply chains. Custom malware deployed in core networks. Data exfiltration begins including configuration files from US government entities.
Aug 2024
First public disclosureWashington Post reports major ISPs compromised by Chinese hackers. US government confirms active investigation. Scope initially understated.
Oct 2024
Political targeting confirmedTrump and Vance campaign phones confirmed affected. Harris campaign staff targeted. Over one million Washington DC area users' metadata accessed including government targets.
Dec 2024
Nine carriers confirmed. Scope expands.Deputy NSA Anne Neuberger confirms nine telecom companies breached. AT&T and Verizon claim containment. Recorded Future observes five more telecoms breached Dec 2024–Jan 2025.
Jan 2025
Sanctions. Cyber Safety Review Board disbanded.Treasury sanctions Sichuan Juxinhe Network Technology for direct Salt Typhoon involvement. Trump administration fires all CSRB members before investigation completes.
Aug 2025
Full scope confirmedFBI confirms 200+ companies across 80 countries affected. 600+ organizations notified of potential compromise. Campaign extends to transportation, military, and government infrastructure.
Dec 2025
Congressional intrusions detectedIntrusions detected in multiple US House of Representatives committees attributed to Salt Typhoon. As of early 2026, AT&T and Verizon have not provided evidence that attackers have been fully eradicated.

Why the CALEA angle changes everything

Most analysis of Salt Typhoon focuses on the scale — nine carriers, eighty countries, a million users' metadata. The scale is significant. But the CALEA compromise is qualitatively different from a large data breach.

When Salt Typhoon accessed the wiretap infrastructure, they did not just steal data — they obtained intelligence about US intelligence. The list of individuals being wiretapped by US law enforcement and intelligence agencies is among the most sensitive information in the US government's possession. It reveals sources and methods. It identifies compromised assets. It tells China which of their operatives the US had identified and was monitoring.

Intelligence analysts quoted in the aftermath described this as potentially worse than the 2015 Office of Personnel Management breach — which exposed the personal information of millions of federal employees and contractors including those with security clearances. The OPM breach told China who had security clearances. The CALEA breach told China who was being watched.

There is a bitter institutional irony in this. The CALEA infrastructure that Salt Typhoon exploited was mandated by law specifically to give government access to private communications. The backdoor built for US law enforcement became the entry point for Chinese intelligence. This is the core argument that cryptographers and security researchers have made for thirty years about government-mandated encryption backdoors: you cannot build a door that only the right people can open.

The structural vulnerabilities that enabled it

Senate testimony revealed details about the security posture of affected carriers that are difficult to read without frustration. Legacy equipment not updated in years. Router vulnerabilities with patches available for seven years that were never applied. Weak password policies. Rudimentary security failures at companies with billions in revenue and critical national infrastructure responsibilities.

This is not a sophisticated zero-day attack story. The initial access in many cases exploited known vulnerabilities with available patches. The dwell time of three or more years suggests that detection capabilities were insufficient to identify an active threat actor that was not making obvious noise. These are not exotic failures — they are the basic security hygiene failures that the MyCyberBrief Intel feed covers weekly.

The telecom sector's security posture has historically lagged behind financial services and technology. Regulatory pressure for security investment is lower. Legacy infrastructure is pervasive. The sector's role as critical national infrastructure has not translated into security investment commensurate with that designation. Salt Typhoon exploited that gap deliberately and systematically.

What the targeting pattern reveals about intent

Salt Typhoon is not primarily a financial threat actor. The targeting pattern — telecom infrastructure, government wiretap systems, political campaign phones, Washington DC area communications, military infrastructure, foreign diplomatic communications — describes a counterintelligence and strategic positioning operation.

The intelligence value of persistent access to telecommunications infrastructure extends beyond immediate data theft. An actor embedded in a carrier's core routing infrastructure can monitor communications, identify surveillance targets, track individuals' locations, and in a crisis scenario potentially degrade or manipulate the communications infrastructure that military and government operations depend on.

Security analysts quoted following the FBI's August 2025 briefing characterized Salt Typhoon's access not just as espionage but as the positioning of a capability — a pre-positioned ability to act in a future conflict scenario. The access is valuable now for intelligence. It would be valuable in a crisis for disruption.

SITREP ASSESSMENT

Salt Typhoon represents a category of threat that the US has not adequately prepared for — a patient, strategically sophisticated nation-state actor targeting foundational communications infrastructure with a multi-year timeline and intelligence objectives that go beyond data theft.

The structural issues it revealed — mandatory backdoors that become attack surfaces, years of unpatched vulnerabilities in critical infrastructure, detection capabilities insufficient to identify multi-year intrusions — are not fixed. As of early 2026, affected carriers have not provided evidence of full remediation. The Cyber Safety Review Board investigation that would have produced recommendations for systemic improvement was terminated before completion.

The implications for security practitioners are direct: the perimeter security model is insufficient against patient, sophisticated actors with nation-state resources. Behavioral detection, network segmentation, zero trust architecture, and aggressive patching cadence are not optional enhancements — they are what the Salt Typhoon campaign demonstrates as the baseline requirement for any organization that matters to an adversary with strategic patience.

THE BOTTOM LINE
Salt Typhoon exploited basic security failures — unpatched routers, weak credentials — not sophisticated zero-days. The basics matter at national scale.
The CALEA compromise is the most significant element — accessing the wiretap list tells China which of their assets the US had identified.
Dwell time of 3+ years means the network perimeter as a security model failed entirely. Assume breach architecture is the correct response.
The campaign is ongoing. As of early 2026, full remediation has not been confirmed. 200+ organizations across 80 countries remain potentially affected.
The CALEA backdoor argument is settled. Mandated government access creates attack surfaces that adversaries will find and exploit.